A new security bug report has been reported by the bug bounty program.
Claude Analysis Result
Possible code path of the root cause: /src/sentry/api/endpoints/setup_wizard.py
Possible reason: The report explicitly targets the setup-wizard flow, specifically the endpoints GET /api/0/wizard/ and GET /api/0/wizard/<hash>/, as well as the frontend page /settings/wizard/<hash>/. The CODEOWNERS file has two explicit entries for these: /src/sentry/web/frontend/setup_wizard.py @getsentry/team-javascript-sdks and /src/sentry/api/endpoints/setup_wizard.py @getsentry/team-javascript-sdks. The vulnerability is entirely within the setup wizard's hash allocation, cache population, and token leakage logic, which maps directly to these files owned by team-javascript-sdks.
Possible owner: @getsentry/team-javascript-sdks
Confidence score: 95
** If you believe the issue is incorrectly assigned, please assign it to the correct team or let the security team know. Thank you!**
To reduce risk of accidental information disclosure, we are intentionally not exposing full vulnerability details here
Please see the parent ticket for the full report: VULN-1424
A new security bug report has been reported by the bug bounty program.
Claude Analysis Result
Possible code path of the root cause:
/src/sentry/api/endpoints/setup_wizard.pyPossible reason: The report explicitly targets the setup-wizard flow, specifically the endpoints
GET /api/0/wizard/andGET /api/0/wizard/<hash>/, as well as the frontend page/settings/wizard/<hash>/. The CODEOWNERS file has two explicit entries for these:/src/sentry/web/frontend/setup_wizard.py @getsentry/team-javascript-sdksand/src/sentry/api/endpoints/setup_wizard.py @getsentry/team-javascript-sdks. The vulnerability is entirely within the setup wizard's hash allocation, cache population, and token leakage logic, which maps directly to these files owned by team-javascript-sdks.Possible owner:
@getsentry/team-javascript-sdksConfidence score: 95
** If you believe the issue is incorrectly assigned, please assign it to the correct team or let the security team know. Thank you!**
To reduce risk of accidental information disclosure, we are intentionally not exposing full vulnerability details here
Please see the parent ticket for the full report: VULN-1424